Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Provision contract fields for authz (contract update afterwards) #4065

Closed
wants to merge 10 commits into from
Closed

[WIP] Provision contract fields for authz (contract update afterwards) #4065

wants to merge 10 commits into from

Conversation

creydr
Copy link
Contributor

@creydr creydr commented Aug 16, 2024
edited
Loading

Fixes #4041

Proposed Changes

  • provision applying EventPolicies from Broker, KafkaChannel and KafkaSink in their contracts

Same as #4064, except that it refactors the Broker, KafkaChannel and KafkaSink reconcilers to do the contract update at the end of the reconcilation. This leads to having the .status fields which are part of the contract (e.g. OIDC audience or applying EventPolicies) are being updated directly in the contract.
Anyhow, the probing con only be done after the contract update, as otherwise the data-plane is not aware of the resource and this would lead to 404 on probing the resources endpoint. This has the side effect, that the resource will be marked as addressable, before the probe run (anyhow we have the ProbeSucceeded condition, which can render the resource as NotReady anyhow)

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 16, 2024
@knative-prow knative-prow bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Aug 16, 2024
@knative-prow Knative Prow
Copy link

knative-prow bot commented Aug 16, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane labels Aug 16, 2024
@creydr
Copy link
Contributor Author

creydr commented Aug 16, 2024

/cc @pierDipi objections on doing the contract update at the end of the reconcilation?

@codecov Codecov
Copy link

codecov bot commented Aug 16, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 71.34146% with 47 lines in your changes missing coverage. Please review.

Project coverage is 48.34%. Comparing base (73e1bc9) to head (a4daa5d).

Files Patch % Lines
control-plane/pkg/reconciler/channel/channel.go 57.89% 11 Missing and 5 partials ⚠️
control-plane/pkg/core/config/utils.go 0.00% 10 Missing ⚠️
control-plane/pkg/reconciler/sink/kafka_sink.go 82.45% 5 Missing and 5 partials ⚠️
control-plane/pkg/reconciler/broker/broker.go 81.39% 4 Missing and 4 partials ⚠️
...rol-plane/pkg/reconciler/testing/objects_broker.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #4065      +/-   ##
============================================
- Coverage     52.88%   48.34%   -4.55%     
============================================
  Files           343      244      -99     
  Lines         18013    14608    -3405     
  Branches        294        0     -294     
============================================
- Hits           9526     7062    -2464     
+ Misses         7603     6833     -770     
+ Partials        884      713     -171
Flag Coverage Δ
java-unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Cali0707
Copy link
Member

Anyhow, the probing con only be done after the contract update, as otherwise the data-plane is not aware of the resource and this would lead to 404 on probing the resources endpoint. This has the side effect, that the resource will be marked as addressable, before the probe run (anyhow we have the ProbeSucceeded condition, which can render the resource as NotReady anyhow)

@creydr as far as I can tell from the code, we don't use the .status.address(es) field when doing the contract update. Maybe we can compute the addresses, but not set them on the resource until after the probing is successful and instead just keep them in variables somewhere? I might also be missing something...

@creydr
Copy link
Contributor Author

creydr commented Aug 16, 2024

We use the audience and later the event policies from the status. So this "safes" us one reconciliation. But I might miss here something too...

@creydr creydr force-pushed the provision-contract-fields-for-authz-contract-update-afterwards branch from 141dbd5 to aa5791b Compare August 19, 2024 05:32
@creydr creydr force-pushed the provision-contract-fields-for-authz-contract-update-afterwards branch from aa5791b to a4daa5d Compare August 19, 2024 05:37
@knative-prow Knative Prow
Copy link

knative-prow bot commented Aug 19, 2024
edited
Loading

@creydr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
reconciler-tests-namespaced-broker_eventing-kafka-broker_main a4daa5d link true /test reconciler-tests-namespaced-broker

Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@creydr
Copy link
Contributor Author

creydr commented Aug 19, 2024

Closing as discussed with @pierDipi, as sources can start to send events to addressables as soon as they have an address (they don't check the ready condition), so we should set the addressable condition, only when the addressable is ready to accept events.

@creydr creydr closed this Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Cali0707 Cali0707 Awaiting requested review from Cali0707

@lionelvillard lionelvillard Awaiting requested review from lionelvillard

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[control-plane] Provision allowed Subjects in the contract
2 participants
@creydr @Cali0707